We at the Privacy Rights Clearinghouse commend Senator Figueroa and the two Senate Committees for conducting a hearing on outsourcing, and for considering not only the employment implications but also the potential risks to the privacy and security of records containing sensitive personal information. I restrict my comments to the issues of privacy and security.

Advances in data communications in recent years have made outsourcing increasingly viable. Now back-office and customer-assistance operations that have been handled by contractors in the U.S. can be shipped to companies in lower-wage countries such as India and the Philippines where English is commonly spoken as a second language. As a result, customer records containing highly sensitive personal information are transmitted to, processed by, and stored within such overseas companies. And that is where we at the PRC focus our concerns.

Consider the data elements in a typical tax return or mortgage application, documents that are increasingly being processed overseas. They contain the customer's Social Security number, date of birth, and financial account numbers, for starters. It's not only financial-related companies that are sending customers' records offshore. Many healthcare providers and medical contractors are doing the same, sending highly sensitive information about patients' health as well as their SSNs and dates of birth overseas.

I do not want to infer that companies outside the U.S. are less capable of protecting records containing personal information. On the contrary, news accounts of several such offshore companies describe security practices that far exceed the privacy protection strategies of many U.S. businesses.

Rather, our main concern is that of consumer protection.

What recourse does an individual have if his/her personal information is handled improperly by an overseas company? Most countries to which data is being transmitted have no data protection laws on the books.

If a U.S. law or regulation is violated, will the appropriate U.S. regulatory agency, such as the Federal Trade Commission or the Office of the Comptroller of the Currency, send investigators to the offshore company to conduct an investigation? Probably not likely.

If an employee of an overseas company observes improprieties and wants to blow the whistle, who can he or she contact to file a complaint? And will that individual be protected by U.S. whistleblower laws? Again, not likely.

If an individual becomes a victim of identity theft and is able to trace the illegitimate access to his or her personal information back to an overseas company, can that individual attempt to take legal action against that company for its negligence? Technically perhaps, but realistically probably not. A bigger question is if the victim of identity theft would even be able to trace back to the source of the data breach. Not likely.

How would California's law requiring that individuals be notified of security breaches involving sensitive personal information be promulgated and enforced if the illegitimate access to computer files were to occur in an offshore company? (California Civil Code section 1798.82-1798.84)

How will U.S. companies be able to prevent overseas firms from subcontracting the work to other companies who then subcontract it to yet others? In a widely reported incident, a subcontractor in Pakistan threatened to expose the personal information contained in the medical records she was transcribing if she were not paid what she was due. (David Lazarus, "A tough lesson on medical privacy: Pakistani transcriber threatens UCSF over back pay," San Francisco Chronicle, October 22, 2003.)

Certainly, the majority of U.S. companies that hire offshore companies to handle data containing sensitive personal information will establish contracts to attempt to ensure that such data is processed in a secure environment with proper information-handling practices. But it is questionable if even the most iron-clad contracts are able to overcome the fact that data processing is occurring outside the U.S. legal and regulatory infrastructure.

In the final analysis, the question remains: Is there sufficient oversight and accountability to adequately protect sensitive personal information when data processing occurs in overseas companies?

Once again, we commend you for tackling this challenging public policy issue.